forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathXSS.qhelp
More file actions
46 lines (37 loc) · 1.25 KB
/
XSS.qhelp
File metadata and controls
46 lines (37 loc) · 1.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Directly writing user input (for example, an HTTP request parameter) to a web
page, without properly sanitizing the input first, allows for a cross-site
scripting vulnerability.</p>
</overview>
<recommendation>
<p>To guard against cross-site scripting, consider encoding/escaping the unstrusted
input before including it in the HTML.</p>
</recommendation>
<example>
<p>The following example shows a simple web handler that writes a path of the
URL parameter directly to an HTML response, leaving the website vulnerable to
cross-site scripting:</p>
<sample src="XSSBad.rs" />
<p>To fix this vulnerability, the user input should be HTML-encoded before being
included in the response:</p>
<sample src="XSSGood.rs" />
</example>
<references>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
(Cross Site Scripting) Prevention Cheat Sheet</a>.
</li>
<li>
WiMISSING: Alert[rust/xss]kipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
</li>
<li>
OWASP:
<a href="https://owasp.org/www-community/attacks/xss/">Cross-site Scripting (XSS)</a>.
</li>
</references>
</qhelp>